Hello community, here is the log from the commit of package libsndfile for openSUSE:Factory checked in at 2015-11-08 11:25:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libsndfile (Old) and /work/SRC/openSUSE:Factory/.libsndfile.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libsndfile" Changes: -------- --- /work/SRC/openSUSE:Factory/libsndfile/libsndfile.changes 2015-03-27 09:39:04.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.libsndfile.new/libsndfile.changes 2015-11-08 11:25:42.000000000 +0100 @@ -1,0 +2,16 @@ +Wed Nov 4 16:43:39 CET 2015 - tiwai@suse.de + +- VUL-0: libsndfile 1.0.25 heap overflow (CVE-2015-7805, bsc#953516) + libsndfile-src-common.c-Fix-a-header-parsing-bug.patch + libsndfile-fix-header-read-CVE-2015-7805.patch +- VUL-0: libsndfile 1.0.25 heap overflow (CVE-2015-8075, bsc#953519) + libsndfile-psf_strlcpy_crlf-fix-CVE-2015-8075.patch +- Fix the build with SLE11-SP3 due to AM_SILENT_RULE macro + +------------------------------------------------------------------- +Wed Nov 4 11:38:16 CET 2015 - tiwai@suse.de + +- VUL-1: libsndfile DoS/divide-by-zero (CVE-2014-9756, bsc#953521): + libsndfile-src-file_io.c-Prevent-potential-divide-by-zero.patch + +------------------------------------------------------------------- New: ---- libsndfile-fix-header-read-CVE-2015-7805.patch libsndfile-psf_strlcpy_crlf-fix-CVE-2015-8075.patch libsndfile-src-common.c-Fix-a-header-parsing-bug.patch libsndfile-src-file_io.c-Prevent-potential-divide-by-zero.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libsndfile.spec ++++++ --- /var/tmp/diff_new_pack.mOraYf/_old 2015-11-08 11:25:43.000000000 +0100 +++ /var/tmp/diff_new_pack.mOraYf/_new 2015-11-08 11:25:43.000000000 +0100 @@ -37,6 +37,14 @@ Patch3: sndfile-src-sd2.c-Fix-segfault-in-SD2-RSRC-parser.patch # PATCH-FIX-UPSTREAM CVE-2014-9496 bnc#911796 Patch4: sndfile-src-sd2.c-Fix-two-potential-buffer-read-overflows.patch +# PATCH-FIX-UPSTREAM CVE-2014-9756 bsc#953521 +Patch5: libsndfile-src-file_io.c-Prevent-potential-divide-by-zero.patch +# PATCH-FIX-UPSTREAM CVE-2015-7805 bsc#953516 +Patch6: libsndfile-src-common.c-Fix-a-header-parsing-bug.patch +# PATCH-FIX-SUSE CVE-2015-7805 bsc#953516 +Patch7: libsndfile-fix-header-read-CVE-2015-7805.patch +# PATCH-FIX-SUSE CVE-2015-8075 bsc#953519 +Patch8: libsndfile-psf_strlcpy_crlf-fix-CVE-2015-8075.patch BuildRequires: alsa-devel BuildRequires: flac-devel BuildRequires: gcc-c++ @@ -87,9 +95,16 @@ %patch2 %patch3 -p1 %patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 %build %define warn_flags -W -Wall -Wstrict-prototypes -Wpointer-arith -Wno-unused-parameter +%if %suse_version < 1200 +sed -i -e'/^AM_SILENT_RULES/d' configure.ac +%endif autoreconf --force --install CFLAGS="%{optflags} %{warn_flags}" export CFLAGS ++++++ libsndfile-fix-header-read-CVE-2015-7805.patch ++++++ --- src/common.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/src/common.c +++ b/src/common.c @@ -800,9 +800,10 @@ header_read (SF_PRIVATE *psf, void *ptr, if (psf->headindex + bytes > SIGNED_SIZEOF (psf->header)) { int most ; - most = SIGNED_SIZEOF (psf->header) - psf->headindex ; + most = SIGNED_SIZEOF (psf->header) - psf->headend ; psf_fread (psf->header + psf->headend, 1, most, psf) ; - memcpy (ptr, psf->header + psf->headend, most) ; + most = SIGNED_SIZEOF (psf->header) - psf->headindex ; + memcpy (ptr, psf->header + psf->headindex, most) ; psf->headend = psf->headindex += most ; psf_fread ((char *) ptr + most, bytes - most, 1, psf) ; return bytes ; ++++++ libsndfile-psf_strlcpy_crlf-fix-CVE-2015-8075.patch ++++++ --- src/common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/src/common.c +++ b/src/common.c @@ -1332,7 +1332,7 @@ psf_strlcpy_crlf (char *dest, const char char * destend = dest + destmax - 2 ; const char * srcend = src + srcmax ; - while (dest < destend && src < srcend) + while (*src && dest < destend && src < srcend) { if ((src [0] == '\r' && src [1] == '\n') || (src [0] == '\n' && src [1] == '\r')) { *dest++ = '\r' ; *dest++ = '\n' ; ++++++ libsndfile-src-common.c-Fix-a-header-parsing-bug.patch ++++++
From d2a87385c1ca1d72918e9a2875d24f202a5093e8 Mon Sep 17 00:00:00 2001 From: Erik de Castro Lopo
Date: Sat, 7 Feb 2015 15:45:10 +1100 Subject: [PATCH] src/common.c : Fix a header parsing bug.
When the file header is bigger that SF_HEADER_LEN, the code would seek instead of reading causing file parse errors. The current header parsing and writing code *badly* needs a re-write. --- src/common.c | 25 ++++++++++--------------- 1 file changed, 10 insertions(+), 15 deletions(-) --- a/src/common.c +++ b/src/common.c @@ -795,21 +795,16 @@ header_read (SF_PRIVATE *psf, void *ptr, { int count = 0 ; if (psf->headindex >= SIGNED_SIZEOF (psf->header)) - { memset (ptr, 0, SIGNED_SIZEOF (psf->header) - psf->headindex) ; - - /* This is the best that we can do. */ - psf_fseek (psf, bytes, SEEK_CUR) ; - return bytes ; - } ; + return psf_fread (ptr, 1, bytes, psf) ; if (psf->headindex + bytes > SIGNED_SIZEOF (psf->header)) { int most ; most = SIGNED_SIZEOF (psf->header) - psf->headindex ; psf_fread (psf->header + psf->headend, 1, most, psf) ; - memset ((char *) ptr + most, 0, bytes - most) ; - - psf_fseek (psf, bytes - most, SEEK_CUR) ; + memcpy (ptr, psf->header + psf->headend, most) ; + psf->headend = psf->headindex += most ; + psf_fread ((char *) ptr + most, bytes - most, 1, psf) ; return bytes ; } ; @@ -817,7 +812,7 @@ header_read (SF_PRIVATE *psf, void *ptr, { count = psf_fread (psf->header + psf->headend, 1, bytes - (psf->headend - psf->headindex), psf) ; if (count != bytes - (int) (psf->headend - psf->headindex)) { psf_log_printf (psf, "Error : psf_fread returned short count.\n") ; - return 0 ; + return count ; } ; psf->headend += count ; } ; @@ -831,7 +826,6 @@ header_read (SF_PRIVATE *psf, void *ptr, static void header_seek (SF_PRIVATE *psf, sf_count_t position, int whence) { - switch (whence) { case SEEK_SET : if (position > SIGNED_SIZEOF (psf->header)) @@ -880,8 +874,7 @@ header_seek (SF_PRIVATE *psf, sf_count_t static int header_gets (SF_PRIVATE *psf, char *ptr, int bufsize) -{ - int k ; +{ int k ; for (k = 0 ; k < bufsize - 1 ; k++) { if (psf->headindex < psf->headend) @@ -1068,8 +1061,10 @@ psf_binheader_readf (SF_PRIVATE *psf, ch case 'j' : /* Get the seek position first. */ count = va_arg (argptr, size_t) ; - header_seek (psf, count, SEEK_CUR) ; - byte_count += count ; + if (count) + { header_seek (psf, count, SEEK_CUR) ; + byte_count += count ; + } ; break ; default : ++++++ libsndfile-src-file_io.c-Prevent-potential-divide-by-zero.patch ++++++
From 725c7dbb95bfaf8b4bb7b04820e3a00cceea9ce6 Mon Sep 17 00:00:00 2001 From: Erik de Castro Lopo
Date: Wed, 24 Dec 2014 21:02:35 +1100 Subject: [PATCH] src/file_io.c : Prevent potential divide-by-zero.
Closes: https://github.com/erikd/libsndfile/issues/92 --- src/file_io.c | 3 +++ 1 file changed, 3 insertions(+) --- a/src/file_io.c +++ b/src/file_io.c @@ -358,6 +358,9 @@ psf_fwrite (const void *ptr, sf_count_t { sf_count_t total = 0 ; ssize_t count ; + if (bytes == 0 || items == 0) + return 0 ; + if (psf->virtual_io) return psf->vio.write (ptr, bytes*items, psf->vio_user_data) / bytes ;